In August 2017, we announced our commitment to comply with the European Union's new General Data Protection Regulation (GDPR), which applies to users in the European Economic Area (EEA). This article provides additional details about how we are supporting advertisers and marketers with the changes the GDPR brings.

Contract updates

We have been rolling out updates to our contracts for many products since August 2017, reflecting Google's status as either a processor or a controller under the new law.

Find out more about how we use data in Google Marketing Platform and Google Ads:

Consent support

The GDPR introduces significant new obligations for the ecosystem, and the changes we announced to our EU User Consent Policy reflect this. Under this policy, advertisers that implement remarketing tags are required to obtain consent from users for the collection of data for personalised ads and advertisers that implement conversion tags for measurement purposes are required to obtain consent for the use of cookies.

To address questions we have received from our customers, we have updated cookiechoices.org with examples of consent language and available third-party consent solutions.

If you use Google ads products that receive data from your site or app, we encourage you to link to How Google uses information from sites or apps that use our services, which explains how Google manages data in our ads products. Doing so will meet the requirement of our updated EU User Consent Policy to give users information about Google's uses of their personal data.

Third-party ad serving and measurement changes

On Google Ad Manager, Google Ad Manager, AdSense and AdMob

To help publishers choose the ad technology providers that can serve and measure ads on their sites and apps for users in the EEA, we have launched Ad Technology Provider Controls for publishers (Google Ad Exchange, AdMob, AdSense). If a publisher doesn't engage with these controls to choose their own list, we will apply a list of commonly used Ad Technology Providers.

In practice, this means that your Google Ads and Display & Video 360 campaigns will only serve on an ad impression in the EEA where a given publisher has selected (and has received user consent for) the Ad Technology Providers that you use. All providers listed have shared with Google a link explaining their data usage and provided certain information that is required by the GDPR, and have agreed to comply with our data usage policy. Any providers you work with can contact Google to seek certification to be included in the Ad Technology Providers list.

As previously announced, we're also launching a Non-Personalised Ads solution (Google Ad Exchange, AdMob, AdSense) to enable publishers to present EEA users with a choice between personalised ads and non-personalised ads (or to choose to serve only non-personalised ads to users in the EEA). Campaigns that reach users based on demographics and categories of apps they've installed, for instance, are not eligible to serve on non-personalised inventory. The choices users make on publisher sites that offer non-personalised ads will determine the availability of personalised and non-personalised inventory for these sites. We encourage Google Ads and Display & Video 360 advertisers to closely monitor campaign delivery after 25 May and consider alternative campaign criteria as needed.

On YouTube

In January 2017, we announced that YouTube will stop accepting most third-party measurement pixels globally starting 21 May 2018. We also announced that we are working with a small group of vendors (including comScore, DoubleVerify, IAS, MOAT, Nielsen, Kantar, and Research Now) to evaluate the re-certification of their pixels. Additionally, advertisers can enable YouTube reporting via the partners we have integrated with Ads Data Hub (ADH).

Data collection, deletion and retention controls

Audience lists in Google Ads / Google Marketing Platform

Google Ads Customer Match Audiences: We won't retain data files advertisers upload for any longer than necessary to create Customer Match audiences and ensure compliance with our policies (see How Google uses Customer Match data). Once those processes are complete, we'll promptly delete the data files uploaded in Google Ads or the Google Ads API. For information on how to update or replace an existing Customer Match audience, see Update your customer list.

Remarketing with Google Ads or Floodlight tags: Advertisers control which users are added to remarketing lists and which are not, as well as the duration users stay on a list. Today, if you use the Google Ads or Floodlight tag for remarketing, you need to ensure that the tag is not active for users who have indicated they do not want to receive personalised ads. There are many ways to achieve this. We recommend that you consult your webmaster on possible solutions, including Google Tag Manager. If you use the Google Analytics tag for Google Ads remarketing, please see the "Google Analytics data" section below.

Campaign Manager provided lists: Advertisers control how long cookies remain on a given audience list. To remove a user from a list, you can add a "1" next to the identifier associated with the cookie that you would like to remove from the list. To learn more, see File formating > File headers > Delete in the Provided lists Help Centre article.

Google Analytics data

Google Analytics has long provided features and policies to help you safeguard your data. The following features, in particular, may prove useful as you evaluate the impact of the GDPR for your company's unique situation and Analytics implementation.

Users: The User Deletion API lets you to manage the deletion of all data associated with individual users (e.g. site visitors) from your Google Analytics and/or Analytics 360 properties.

Properties and accounts: Google Analytics customers can also delete data for their properties and/or accounts.

Remarketing: Advertisers control which users are added to remarketing lists and which are not. If you use Google Analytics, you can ensure that advertising features are disabled for users who have indicated they do not want to receive personalised ads. To disable advertising features for those users, including remarketing and advertising reporting features, see "Disable advertising features" in the Display Features guide.

Working with the IAB Transparency & Consent Framework

Once Google is registered on the IAB's Global Vendor List, Display & Video 360 will serve programmatic non-personalised ads to publishers on Google Ad Manager provided that a user has given consent to Google for Purpose 1 ("Information storage and access") and Purpose 3 ("Ad selection, delivery, reporting") of the IAB Europe's Transparency & Consent Framework.

Google Ad Manager will add support for personalised ad serving for publishers using the IAB Europe's Transparency & Consent Framework by early June. This will be an interim solution that translates the consent information collected by the IAB's Framework to Google Ad Manager Ad Technology Provider settings. When consent has been given to all of the publishers selected for Purpose 1, Purpose 2 and Purpose 3 of the Transparency & Consent Framework, personalised ads may be served.

We expect to fully integrate Google Ad Manager with the IAB Europe's Transparency & Consent Framework by August. This will enable publishers to serve personalised ads based on consent passed by a user, per vendor or serve non-personalised ads.

Buying inventory from third-party exchanges:

Once Google is registered on the IAB's Global Vendor List, Display & Video 360 users will be able to purchase inventory from our third-party exchange partners, who are also subject to Google's EU User Consent Policy, provided the third-party exchange sends us requests that contain explicit purpose and vendor consent in the bid request (utilising the IAB's framework). When valid consent is provided, Display & Video 360 can serve personalised ads through these exchanges.